Secure customer communication method and system

ABSTRACT

The method for creating communication encryption keys for use over a communications channel comprises the steps of: selecting a code number for a user or web browser; selecting the two highest prime numbers, excluding 1 and the code number itself, in the code number; determining if each of these prime numbers is greater than the square root of the code number; and, if so, establishing with a web server two communication encryption keys equal to the two highest prime numbers.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to encoding methods and moreparticularly to methods for achieving secure communications inelectronic commerce transactions.

2. Description of the Related Art

Secure communication is vital for the commercial success of electroniccommerce transactions. Modern Internet commerce is predicated on theassumption that sensitive financial and personal information can beencrypted to prevent unauthorized disclosure over the common network.Typically, this is done using a standard of encryption known as “HTTPS”or Hyper Text Transfer Protocol Secure. The HTTPS protocol is selectedto run on the company web server as a measure to insure thatcommunication with a user or web browser is secured through encryptionof information sent over the channel. This standard communicatesinformation that is encrypted and decrypted at both a sender andreceiver using assigned keys between both the sender and receiver. Theadministration of these keys is typically done through a centraldepository company such as that provided by RSA Security to manage thedistribution of security channel keys.

It is well known that prime numbers are used as keys in electroniccommunications in various encryption standards. Two prime numbersmultiplied together create a composite number of which only two factorsare the two prime numbers. Both prime numbers can then become keys of anencrypted message in methods such as the RSA algorithm. Encryptionlength key standards today are 1024 bits, but it is expected that thisencryption size will increase as memory and processor speeds increase toproduce larger length keys. Security of the transaction, however, ispredicated on the assumption that the channel of communication issecure.

In the event of a compromise of the secure HTTPS channel, littleprotection is available to the end user, as in a web transaction with acompany, to securely exchange information with the company. Without thesecurity of the communications channel, sending financial informationsuch as credit card information can result in the unintended disclosureof the information to others.

Previous solutions used rely on the use of a single standards basedcommunications method. In such solutions, when a solution to theencoding algorithm becomes publicly known, the electronic communicationssession can become vulnerable to attack or fraud. Another popularsolution technique is to increase key size whenever the algorithm for akey code is uncovered.

Some U.S. Patents disclosing prior cryptography techniques are: PATENTPATENTEE 3,962,539 Ehrsam et al. 4,200,770 Hellman et al. 4,218,582Hellman et al. 4,405,829 Rivest et al. 4,748,668 Shamir et al. 4,850,017Matyas et al. 5,140,634 Guillou et al. 5,214,703 Lai et al. 5,231,668Kravitz 5,315,658 Micali

BRIEF SUMMARY

In one embodiment of the present invention, a method is provided forestablishing a secure channel or level of security during an Internettransaction when it is discovered that the security of the channel hasbeen breached (i.e. is no longer secure). In this way, a user/browsercan continue to communicate with a server, e.g., a bank; with a level ofsecurity namely customer encoding security is invoked.

In another embodiment of the present invention there is provided amethod for creating customer communication encryption keys for use overa communications channel comprising the steps of: selecting a codenumber; selecting the two highest prime numbers, excluding 1 and thecode number itself, in the code number; determining if each of theseprime numbers is greater than the square root of the code number; and,if so, establishing with a web server the two communication encryptionkeys.

In yet another embodiment of the present invention there is provided amethod for adding customer encoding on a communication channel between auser and a web server when the security of the communications channel isdetermined to be breached or compromised comprising the steps of:establishing a customer encoding system using an encryption methodbetween a user or web browser/user and a web server; the customerencoding further including establishing a user name and using thecustomer code for establishing two (2) communication keys for theencryption method, the communication encryption keys being defined bythe largest two (2) prime numbers of the customer account code;determining if the security on the communications channel has beencompromised or breached; determining if the user wishes to continue;communicating between the user/browser and web server that additionalcustomer encoding is to be used in further communications on thecommunication channel; prompting the user or web browser to present theuser name; prompting the user for the customer account code; storing thecustomer account code on the user's machine and on the web server;creating communication keys; and, continuing transfer of customerencoded messages on the communications channel until communication iscompleted.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

The invention, together with the advantages thereof, may be understoodby reference to the following description in conjunction with theaccompanying figures, which illustrate some embodiments of theinvention.

FIG. 1 is a block diagram of the standard prior art encryption ofcustomer data using HTTPS (Hyper Text Transfer Protocol Secure).

FIG. 2 is a block diagram showing standard encryption of customer datausing HTTPS (Hyper Text Transfer Protocol Secure) and including customerencoding of the data according to one embodiment of the presentinvention.

FIG. 3 is a table of one example of customer encoding including customeridentifier or user name, customer account code (telephone number),number of factors, the prime number factors and the square root of theaccount number or account code.

FIG. 4 is a flow chart of one embodiment of the steps performed in usingthe customer encoding.

DETAILED DESCRIPTION

While the present invention is susceptible of embodiments in variousforms, there is shown in the drawings and will hereinafter be describedsome exemplary and non-limiting embodiments, with the understanding thatthe present disclosure is to be considered an exemplification of theinvention and is not intended to limit the invention to the specificembodiments illustrated. In this disclosure, the use of the disjunctiveis intended to include the conjunctive. The use of the definite articleor indefinite article is not intended to indicate cardinality. Inparticular, a reference to “the” object or “a” object is intended todenote also one of a possible plurality of such objects.

RSA is an Internet encryption and authentication system that uses analgorithm developed in 1977 by Ron Rivest, Adi Shamir, and LeonardAdleman. The RSA algorithm is a commonly used encryption andauthentication algorithm and is included as part of the Web browsersfrom Microsoft and Netscape. It's also part of Lotus Notes, Intuit'sQuicken, and many other products. RSA Security owns rights to thisparticular encryption system. The company licenses the algorithmtechnologies and also sells development kits. The technologies are partof existing or proposed Web, Internet, and computing standards.

The mathematical details of the algorithm used in obtaining the publicand private keys are available at the RSA Web site. Briefly, thealgorithm involves multiplying two large prime numbers (a prime numberis a number divisible only by that number and 1) and through additionaloperations deriving a set of two numbers that constitutes the public keyand another set that is the private key. Once the keys have beendeveloped, the original prime numbers are no longer important and can bediscarded. Both the public and the private keys are needed forencryption/decryption but only the owner of a private key ever needs toknow it. Using the RSA system, the private key never needs to be sentacross the Internet.

The private key is used to decrypt text that has been encrypted with thepublic key. Thus, if a party wishes to send a message, he can find outthe public key of the receiving party (but not the private key) from acentral administrator and encrypt a message to the receiving party usinghis public key. When the encrypted message is received, it is decryptedwith the private key of the receiving party. In addition to encryptingmessages (which ensures privacy), one can authenticate themselves to thereceiving party (so the receiving party can know who really sent themessage) by using their private key to encrypt a digital certificate.When the digital certificate is received by the receiving party, theycan use the senders public key to decrypt it.

One example of the prior art encapsulation or super imposition ofcustomer encoding of data inside of an HTTPS message is shown in FIG. 1,where the data is designated 10 and the HTTPS is designated 12. Theillustrated embodiment of FIG. 1 utilizes a pre-established protocolbetween the user, customer or web browser and the server using customeraccount information or encoding which the user and server havepre-established.

In the absence of the secure channel, a customer encoding may beimplemented with a customer encoding 14 as shown in the illustratedembodiment of FIG. 2 and may include the customer user name and selectedcustomer account information, such as an account code or telephonenumber to perform a secondary encryption of information normallyexpected to be carried over a secured channel. In the absence of thesecure channel, the user may be prompted to enter the accountinformation into the user or web browser application for the process ofgenerating communications encryption keys known to both theuser/customer and the server/bank.

Upon identification of the consumer to the web server with a publicidentity, the web user is then prompted to enter a specific identifyingcode over a secure channel like HTTPS. In the event that the securechannel is detected as being unavailable, the user is given the optionto send the information as an encrypted session using the user accountkey as the challenge response. As the account code is known both by theweb site (server) and the user, consumer or web browser, this is acommon key method and the recovering web server decodes the informationfrom the user using the account code for the user as the handle of theencryption. Consequently, an additional encapsulation specific tocustomer data can be deployed for each and every different customer,making decoding more difficult in a hostile environment.

The user name may be the customer's user name and the customer accountcode can be the customer's telephone number. To create the encryptionkeys in one embodiment, the system determines the two largest primenumbers of the customer account code, namely, the customer's telephonenumber and the large prime numbers are selected to be greater than thesquare root of the telephone number. These two prime numbers are thenused with an encryption method such as RSA (the Rivest, Shamir andAdleman crypto system), PGP (Pretty Good Privacy) encryption system orDES (Data Encryption Standard Algorithm)).

Another benefit in this environment is that the key does not need to beexchanged between the parties over the public network as both can usethe key to code the message to be sent. Although a common identifyingkey, such as a telephone number, is used, this code need not be useddirectly as the code for the encryption system. Through using thetelephone number as an account example, an additional 22 bits ofencryption strength can be applied to the encoding of messages in thecommunication path by doing an additional encoding based on the customerspecific information.

FIG. 3 is an example of a table containing columns of: a customeridentifier (e.g., a customer ID number or a user name); a customeraccount code; here the customer's telephone number; the number offactors in the telephone number; the factors some of which are primenumbers, as well as the square root of the customer account code.

In selecting the common key, although the account information like atelephone number is directly known to the user and the company, it ispreferable to have a method for generating the most appropriate key fromthis data to be communicated, rather than require that the data is thekey itself. The key is agreed upon prior to the HTTPS fault or duringthe public information session, although it is worthy to have the keychoice secret to prevent possible interpretation. As such in a preferredembodiment, the largest prime factors in the factor list are used as thekeys for the communication. Furthermore, only the prime factors that arelarger than the square root (sqrt column shown) of the commoninformation are used as candidates for the key selection to furtherincrease the robustness of encryption. Also, when the customerinformation is prime (2 factors) or a composite number (more than 2factors), it is desirable to select an agreed variation of the customerinformation such as the next higher number not meeting this condition asthe agreed upon common information between the user and the web server.Alternatively, an agreed upon algorithm can be applied to the accountnumber.

A flow chart illustrating one embodiment of a method for carrying outthe encoding is shown in FIG. 4. After starting the web browser asillustrated at block 30 the user loads the URL list of visited sitesthat ran HTTPS and then collects the current URL being accessed as shownat 31, 32. Next, a determination is made at block 33 as to whether thecurrent URL being accessed is on the last secure access list. In otherwords, is the security HTTPS for this channel from a user to a webserver (such as a bank site) secure or has it been breached?

Subsequently, a determination is made as to whether the HTTPS that hasbeen breached is the HTTPS in your web browser illustrated at block 34.If the answer is yes, the user is queried as to whether additionalsecurity is desired as shown at block 35. Here the user can elect toterminate the session or determine if HTTPS is at risk and if so, send arequest to the web server/bank for additional security as illustrated byblocks 36, 37 and 38. At this stage in the process the type of securitye.g., RSA, PGP, DES, etc. has already been pre-established using the twohighest prime numbers of the customer account code/telephone number andnumbers that are greater than the square root of the telephone number.

As illustrated at block 39, from the sub routine (see blocks 35, 37 and38) and from the main routine (see block 34) the web server of the useris notified that the communications channel is no longer secure, i.e.,HTTPS has been breached or compromised. The web server then prompts theuser for the user name or public ID and the user sends the user name asillustrated by block 40. The web server then sends the encryptionmethod, previously agreed upon, to the user or web browser for the userto execute and the user is prompted for the agreed upon account codee.g. telephone number as shown at blocks 41, 42. The account code ortelephone number is stored on the user machine and the server andcommunication keys are created as illustrated at blocks 43, 44.

Messages are communicated back and forth between the user and the webserver using the communication keys until the user changes the addressof the URL being accessed by the user and the communication isdetermined to be completed (see blocks 45, 46).

Specific embodiments of novel methods for secure communication have beendescribed for exemplification of the invention and are not intended tolimit the invention to the specific embodiments illustrated. Numerousmodifications and variations can be effectuated without deporting fromthe scope of the novel concepts of the invention. It is to be understoodthat no limitation with respect to the specific embodiment illustratedis intended or should be inferred. Accordingly, it is contemplated tocover by the applied claims any and all embodiments, modification,variations or equivalents that fall within the scope of the inventiondisclosed and claimed herein.

1. A method for adding customer encoding on a communication channelbetween a user and a web server when the security of the communicationschannel is determined to be breached or compromised comprising the stepsof: establishing a customer encoding system using an encryption methodbetween a user and a web server; the customer encoding includingestablishing a user name and using the customer code for establishingtwo (2) communication keys for the encryption method, the communicationencryption keys being defined by the largest two (2) prime numbers ofthe customer account code; determining if the security on thecommunications channel has been compromised or breached; determining ifthe user wishes to continue; communicating between the user and webserver that additional customer encoding is to be used in furthercommunications on the communication channel; prompting the user topresent the user name; prompting the user for the customer account code;storing the customer account code on the user's machine and on the webserver; creating communication keys; and, continuing transfer ofcustomer encoded messages on the communications channel untilcommunication is completed.
 2. The method of claim 1, wherein thecommunications channel is provided with a first level of HTTPSencryption.
 3. The method of claim 1, wherein the encryption method isselected from one of RSA, PGP or DES algorithm.
 4. The method of claim1, wherein said communication keys are chosen as the largest two (2)prime numbers in the customer account code except for the customer codeaccount number itself and the number
 1. 5. The method of claim 1,wherein the account code number cannot be a number which has one of itstwo largest prime numbers equal to a number less than the square root ofthe account code number.
 6. The method of claim 1 wherein the codenumber is the user's telephone number, except where two prime numbers inexcess of the code number and the number 1 cannot be obtained from thecode number.
 7. The method of claim 6 wherein the two prime numbers eachmust be greater than the square root of the telephone number.
 8. Amethod for creating communication encryption keys for use over acommunications channel comprising the steps of: selecting a code number;selecting the two highest prime numbers, excluding 1 and the code numberitself, in the code number; determining if each of these prime numbersis greater than the square root of the code number; and, if so,establishing with a web server two communication encryption keys equalto the two highest prime numbers.
 9. The method of claim 8 wherein thecode no. is the user's telephone number.
 10. The method of claim 8wherein a number equal to the code number modified by an algorithm isselected when two prime numbers cannot be obtained from the code numberor when one of the two highest prime numbers is less than the squareroot of the code number.
 11. The method of claim 8 wherein a numberequal to the code number±n is selected when two prime numbers cannot beobtained from the code number or when one of the two highest primenumbers is less than the square root of the code number.
 12. A systemfor adding customer encoding on a communications channel between a userand a web server when the security of the communications channel isdetermined to be breached or compromised comprising; communicationequipment for establishing a customer encoding system using anencryption method between a user and a web server; said communicationequipment being operable for establishing two (2) communication keys forthe encryption method including the use of a customer user name andusing a customer account code, the communication encryption keys beingdefined by the largest two (2) prime numbers of the customer accountcode; said communication equipment being capable of determining if thesecurity on the communications channel has been compromised or breached;said communication equipment being capable of communicating anindication from the user that the user wishes to continue communicatingon the communications channel notwithstanding the breach or compromise;said communication equipment being capable of communicating to the userand web server that additional customer encoding is to be used infurther communications on the communication channel; said communicationequipment then prompting the user to present the user name and thenprompting the user for the customer account code; said communicationequipment then storing the customer account code on the user's machineand on the web server followed by creating the communication keys; and,said communication equipment continuing transfer of customer encodedmessages on the communications channel until communication is completed.13. The system of claim 12, wherein the communications channel isprovided with a first level of HTTPS encryption.
 14. The system of claim12, wherein the encryption method is selected from one of RSA, PGP orDES algorithm.
 15. The system of claim 12, wherein said communicationkeys are chosen as the largest two (2) prime numbers in the customeraccount code except for the customer code account number itself and thenumber
 1. 16. The system of claim 12, wherein the account code numbercannot be a number which has one of its two largest prime numbers equalto a number less than the square root of the account code number. 17.The system of claim 12, wherein the code number is the user's telephonenumber, except where two prime numbers in excess of the code number andthe number 1 cannot be obtained from the code number.
 18. The system ofclaim 17 wherein the two prime numbers each must be greater than thesquare root of the telephone number.
 19. A system for creatingcommunication encryption keys for use over a communications channelcomprising: communication equipment for selecting a code number; saidcommunication equipment selecting the two highest prime numbers,excluding 1 and the code number itself, in the code number; saidcommunication equipment being capable of determining if each of theseprime numbers is greater than the square root of the code number; and,if so, said communication equipment being capable of establishing twocommunication encryption keys equal to the two highest prime numbers.20. The system of claim 19 wherein the code no. is the user's telephonenumber.
 21. The system of claim 19 wherein a number equal to the codenumber modified by an algorithm is selected when two prime numberscannot be obtained from the code number or when one of the two highestprime numbers is less than the square root of the code number.
 22. Thesystem of claim 19 wherein a number equal to the code number±n isselected when two prime numbers cannot be obtained from the code numberor when one of the two highest prime numbers is less than the squareroot of the code number.
 23. A system for receiving customer encoding ona communications channel between a user and a web server when thesecurity of the communications channel is determined to be breached orcompromised comprising; communication equipment for establishing acustomer encoding system using an encryption method between a user andweb server; said communication equipment being operable for establishingtwo (2) communication keys for the encryption method including the useof a selected customer identifier account code; the communicationencryption keys being defined by the largest two (2) primer numbers ofthe customer account code; said communication equipment being capable ofdetermining if the security on the communications channel has beencompromised or breached; said communication equipment being capable ofcommunicating an indication from the user that the user wises tocontinue communicating on the communications channel; said communicationequipment being capable of communicating to the user that additionalcustomer encoding is to be used in further communications on thecommunication channel; said communication equipment then prompting theuser to present the user customer identifier code; said communicationequipment retrieving the customer account code on the web serverfollowed by creating the communication keys; and, said communicationequipment continuing transfer of customer encoded messages on thecommunications channel until communication is completed.
 24. The systemof claim 23, wherein the communications channel is provided with a firstlevel of HTTPS encryption.
 25. The system of claim 23, wherein theencryption method is selected from one of RSA, PGP or DES algorithm. 26.The system of claim 23, wherein said communication keys are chosen asthe largest two (2) prime numbers in the customer account code exceptfor the customer code account number itself and the number
 1. 27. Thesystem of claim 23, wherein the account code number cannot be a numberwhich has one of its two largest prime numbers equal to a number lessthan the square root of the account code number.
 28. The system of claim23, wherein the code number is the user's telephone number, except wheretwo prime numbers in excess of the code number and the number 1 cannotbe obtained from the code number.